Suppressing HTTP Headers from WebSphere Application Server

18 December 2013 Version 0.5

Dave HayIBM Software Services for WebSphere (ISSW)

david_hay@uk.ibm.com+44 7802 918423

The Problem

● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.

This is what we see

● This is from IBM BPM Standard 7.5.1.1 ( Process Center )

This is how we resolve it

● WAS includes the ability to override certain HTTP headers.

● Overrides include: -

ServerHeaderValue – Allows Server Header to be set to a custom stringRemoveServerHeader – Allows Server Header to be completed removed

● This is documented in the Information Center ( see Bibliography )

How to set HTTP Headers - 1/2

How to set HTTP Headers - 2/2

OR

Example – Using ServerHeaderValue

Example – Using RemoveServerHeader

Backup

● The same “risk” has been identified with IBM HTTP Server.

● This can be mitigated by adding: -

AddServerHeader OffServerTokens ProdServerSignature Off

to the IHS httpd.conf file.

Bibliography

WAS 8.0 - Information Center - HTTP transport channel custom properties

WAS 7.0 – Information Center - HTTP transport custom properties

Apache Documentation - ServerSignature Directive

Apache Documentation - ServerTokens Directive

IHS Documentation - AddServerHeader Directive